Design And Construct The Host-based Intrusion Detection System

With the constant complication of network environment and frequent occurrence of network attacks, more and more attention has been paid to network security. The traditional network security technology is primarily on defense. So the protect technology that based on invasion detection receives more attentions.This article is required for the security of a hospitalization insurance system. The main server which in the center net is very important for the system. After analyzed this security requirement, we a project based on Host-based invasion Detection technology.Invasion detection technology is one of the core technologies of network security, it can discover through the analysis of information collected from network and computer system, it can discover whether there is behavior that violates the security strategy and attacked signs. It collects this information from machines that set in some key points of network.We added the HIDS(Host-based Intrusion Detection System ) some new functions, and improve the performance of HIDS engine.1. The HIDS is used to protect files, registry, IIS and so on.2. We combine the network-based IDS which have been used in the system and host-based IDS into a system. It can analyze data stream from host detector and network detector at the same time.3. We use a improved intrusion detection method combined dynamic colonial selection algorithm with gene library according to immune IDS model before. The method is very effective as the engine.In addition, the system uses the central management, so that the examination data which the host detector and the network detector produces can be collected to the control to provides information for the next step of invasion analysis. Console manages every detector by graphical operation interface and can retrieve the log, backup, recover and generate report and so on. In the implement of console, we put emphasis on log retrieving, detector management, rule management, log report and user management.Moreover, the warning response part of this system can warn the administrator by firewall, Email and SNMP so that the administrator can take immediate measures to protect the system .Besides, the system can communicate with firewalls. After detecting the attack, detector will send lock request for firewalls. As soon as receiving the request, firewalls will generate dynamic security rule to interrupt the attack.